Configuring YARN with Kerberos

Provides instructions on how to configure YARN to run with Kerberos on every node in the cluster.

Make sure that the following tasks are already completed, as directed in earlier sections of this guide:

Enabling Wire-level Security by executing configure.sh with the security options.
Configuring Kerberos by creating a Kerberos principle and keytab file.

Now complete the following tasks.

Configure the yarn-site.xml File

Add the following properties to the yarn-site.xml file on every node in the cluster.

/opt/mapr/hadoop/hadoop-<version>/etc/hadoop/yarn-site.xml

NOTE: You need to use /opt/mapr/conf/mapr.keytab for the keytab property and mapr instead of yarn for the principal property.

<!-- ResourceManager security configs -->
<property>
 <name>yarn.resourcemanager.keytab</name>
 <value>/opt/mapr/conf/mapr.keytab</value>    <!-- path to the YARN keytab -->
 
</property>
<property>
 <name>yarn.resourcemanager.principal</name>
 <value>mapr/_HOST@YOUR-REALM.COM</value>
</property>
 
<!-- NodeManager security configs -->
<property>
 <name>yarn.nodemanager.keytab</name>
<value>/opt/mapr/conf/mapr.keytab</value>    <!-- path to the YARN keytab -->
 
</property>
<property>
 <name>yarn.nodemanager.principal</name>
 <value>mapr/_HOST@YOUR-REALM.COM</value>
</property>
<property>
 <name>yarn.nodemanager.container-executor.class</name>
 <value>org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor</value>
</property>
<property>
 <name>yarn.nodemanager.linux-container-executor.group</name>
 <value>mapr</value>
</property>

Configure the mapred-site.xml File

Add the following properties to the mapred-site.xml file on every node in the cluster.

/opt/mapr/hadoop/hadoop-2.7.0/etc/hadoop/mapred-site.xml

Note that you need to use /opt/mapr/conf/mapr.keytab for the keytab property and mapr instead of yarn for the principal property.


        <!-- MapReduce Job History Server security configs -->
        <property>
          <name>mapreduce.jobhistory.address>/name>
          <value>host:port>/value> <!-- Host and port of the MapReduce Job History Server; default port is 10020  -->
        </property>
        <property>
          <name>mapreduce.jobhistory.keytab>/name>
          <value>/opt/mapr/conf/mapr.keytab>/value>    <!-- path to the YARN keytab -->          
        </property>
        <property>
          <name>mapreduce.jobhistory.principal>/name>
          <value>mapr/_HOST@YOUR-REALM.COM>/value>
        </property>

Modifying the env.sh File

The env.sh file contains a setting for MapR login options that defaults to the value maprsasl. Change this value to hybrid, which applies to Kerberos and other security protocols.

The new line (after the change) should look like this:

MAPR_LOGIN_OPTS="-Dhadoop.login=hybrid ${MAPR_JAAS_CONFIG_OPTS} ${MAPR_ZOOKEEPER_OPTS}"

Restart ResourceManager, NodeManager, and JobHistoryServer

Restart the NodeManager, ResourceManager, and JobHistoryServer services, using either the maprcli node services command (with the name option) or the MCS. After restarting the services, make sure you can run simple Hadoop jobs by running:

hadoop jar /opt/mapr/hadoop/hadoop-<version>/share/hadoop/mapreduce/hadoop-mapreduce-examples-<version>.jar pi